include/require

PHP programming forum. Ask questions or help people concerning PHP code. Don't understand a function? Need help implementing a class? Don't understand a class? Here is where to ask. Remember to do your homework!

Moderator: General Moderators

Post Reply
Dave9191
Forum Newbie
Posts: 9
Joined: Wed May 28, 2003 11:31 am

include/require

Post by Dave9191 »

Hi, I have a question about the include/require functions.

I am making a site that connects to a database on most pages. So naturally I don’t want to have put the database details into each page individually. So I have one page that has all the details and I include them into the other pages of the site.

But I have a question about the security of this method. Is it possible for someone from outside of the site (same server or different server) to be able to include that file into their own script if they know where it is and interact with my database? Or is this method safe? :) And if its not, what else can I do?

Thanx
User avatar
mrvanjohnson
Forum Contributor
Posts: 137
Joined: Wed May 28, 2003 11:38 am
Location: San Diego, CA

Post by mrvanjohnson »

Depends on how you configure your MySQL database, connections and permissions. Personally, I only connect to MySQL database using localhost with a user who only has permissions to connect via localhost. With this method, only people local to your box could be a threat.

Even if you need to connect to another MySQL database across the network, you can configure it to only accept connections from a specific IP address, which would be you IP address.

Not sure how you can address a local threat on a shared box.
Dave9191
Forum Newbie
Posts: 9
Joined: Wed May 28, 2003 11:31 am

Post by Dave9191 »

Unfortuanatly, I dont configure the database or the server. I use 2 hosts. One that has been provided for me by someone (profesional server) and lycos free hosting :)

What I am worried about is that someone who might know how my site is orgenised and has another account on lycos, could they be a potential threat ?
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

the abuser's script must be able to read the source code to call functions within the script. If you have a file like

Code: Select all

<?php
function connectmysql($database)
{
	return mysql_connect(....);
}
?>
one can call it via http, but it'll be parsed by the webserver/php, the output (to the client) only contains the output of the script, in this case: nothing. So this script is safe from outsiders, but if someone on the same host can read the script's file locally (i.e. the code, not only the output) the function might be used to connect to your database.
Therefor check the filepermissions and ask your provider how different accounts are separated from each other.
Dave9191
Forum Newbie
Posts: 9
Joined: Wed May 28, 2003 11:31 am

Post by Dave9191 »

Ah ha :D This sounds like a good plan, thank you :)

Its more secure than just having a php file that connects. And some fiddeling with folder access settings should be nice too.
Post Reply